Australian Broadcasting Corporation Exposed Sensitive Data Online
The Kromtech Security Center has discovered at least two unsecured AWS S3 repositories (‘buckets) that appear to belong to the Australian Broadcasting Corporation or ABC as it is more commonly known. Owned by the Australian government they operate similar to the BBC and use a combination of taxpayer funds and a for profit business model.
Security Researchers identified a trove of data that is connected with ABC Commercial. This is the division of the Australian Broadcasting Corporation that focuses on revenue and earnings through retail, content sales, and consumer publishing. This included information regarding production services and stock files that should not have been publically available online. ABC Commercial provides content marketing, distribution, and a wide range of digital services. They also sell traditional items like books, branded merchandise and audio visual products like CDs and DVDs. Despite being Government owned they claim to be fully independent of politics.
This is not the first time that ABC has suffered a data breach in the last few years. In 2013 it was reported that ABCs website was hacked. As a result of the breach, the details of around 50,000 users have been leaked online. Those details included usernames, email addresses, password hashes, and other user details. In 2013 it was identified as a targeted hack, but in the most recent discovery their system administrators misconfigured an Amazon S3 “Bucket” to allow public access. This would give anyone with an internet connection the ability to browse their sensitive data using nothing more than a web browser.
The leak occurred just one week after Amazon introduced its new S3 encryption and security features aimed at enhanced security options for users. Kromtech launched its S3 inspector tool 1 month ago to help IT administrators to check AWS S3 buckets for security. Its been more than a year since we at Kromtech Security started alerting businesses and communities on dangers of having public access to S3 repositories.
What The Leak Contained:
The publically accessible Amazon S3 buckets was indexed by Censys (a public search engine that enables researchers to ask questions about the hosts and networks that compose the Internet) and identified during a regular security audit of misconfigured S3 environment on November 14th. It is unclear who else may have had access to ABCs data or content. A majority of what would be considered sensitive or identifiable data came from the daily backups of ABC Commercials MySQL database. Information such as:
- Several thousands emails, logins, hashed passwords for ABC Commercial users to access the ABC content (these include users who are well known members of the media)
- Requests for licensed content as sent by TV and media producers from all over the world to use ABCs content and pay royalties.
- Secret access key and login details for another repository, with advance video content
- 1,800 daily MySQL database backups from 2015 to present
We have immediately sent notification emails to the database owners and also got in touch with ABC Technology security specialists. All reported buckets were successfully secured within minutes.
Special ‘thank you goes to Troy Hunt for assisting in connecting with necessary ABC people.
Screenshot of publicly accessible folders in one of the buckets, containing list of daily MySQL backups.
Redacted screenshot of one of the user tables in MySQL database backups, all publicly available.
This is another warning for ABC to take cyber security seriously and audit all servers, repositories, and backups regularly. The most unfortunate part is that the issue occurred due to human error and not a malicious attack. It seems like every few days there is yet another data breach, ransomware threat or a new security flaw and companies or organizations must do more to be proactive in how they store sensitive data online.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org